Skip to content

Instantly share code, notes, and snippets.

@bridgeythegeek
Last active August 15, 2023 10:48
Show Gist options
  • Save bridgeythegeek/d7a6c449287c6e32187be2639a7920bf to your computer and use it in GitHub Desktop.
Save bridgeythegeek/d7a6c449287c6e32187be2639a7920bf to your computer and use it in GitHub Desktop.
My First PANDA

My First PANDA

Introduction

Being someone who tries to play a lot with Windows memory, I really wanted to play with PANDA, but I was slightly scared because I'd never touched qemu before - all my experience had been with VirtualBox and VMware.

My goal was to install PANDA into a (relatively) clean install of Debian 8 'Jessie', capture a recording and successfully run a PANDA plugin.

1. Get PANDA

$ git clone https://github.com/moyix/panda.git

Ok, that was easy.

2. Install PANDA

$ cd panda
$ ./panda_install.bash

As I mentioned, (relatively) clean install of Debian 8 and this installed without a hitch.

3. A working folder and a working HDD

I make a working directory to store the files for my test:

$ mkdir 20160423_test
$ cd 20160423_test

Now, my VM's going to need a HDD:

$ ../qemu/qemu-img create -f qcow2 test.img 32G

Let me explain:

  • ../qemu/qemu-img
    • call the qemu-img program, it manages images.
  • create
    • create a new HDD image.
  • -f qcow2
    • specify the format as 'qcow2' (apparently that's the best??).
  • test.img
    • the file name of the file which will be my HDD image.
  • 32G
    • the HDD will have a capacity of 32GB.

You'll note that if you do a ls -lh the test.img file isn't 32GB. This is because one of the advantages of the qcow format is that it only allocates spaces as it's needed. Basically, it'll grow as the guest OS actually uses the space.

4. Launch the VM!

../qemu/x86_64-softmmu/qemu-system-x86_64 test.img --monitor stdio -vnc 127.0.0.1:1 -k en-gb -m 2048

Let me explain:

  • ../qemu/x86_64-softmmu/qemu-system-x86_64
    • launch the qemu hypervisor with x86_64 architecture.
  • test.img
    • the HDD that the VM is going to use.
  • --monitor stdio
    • as mentioned in PANDA's manual, this is a way of being able to send commands to qemu. We're going to need this to actually do PANDA things.
  • -vnc 127.0.0.1:1
    • this facilitates connecting to the VM using vnc. We'll connect to 127.0.0.1, display 1.
  • -k en-gb
    • the default keyboard is en-us, I use a en-gb one.
  • -m 2048
    • the amount of memory to give the VM, in MB, so 2048 = 2GB.

NOTE: You can quit qemu and poweroff the VM by issuing the quit command at the qemu prompt:

(qemu) quit

5. Connect to the VM and install an OS

With the VM now running, I used 'Remote Desktop Viewer' to connect to the VM:

  • Protocol: VNC
  • Host: 127.0.0.1:1

Once connected, you should see the VM's BIOS complaining that it can't find an operating system. Because we haven't installed one yet.

Back at the qemu command prompt we need to attach an ISO to the CD drive:

(qemu) change ide1-cd0 /path/to/Windows7-x64-installer.iso

This will mount the ISO into the VM's CD drive.

You can then reboot the VM by sending a CTRL+ALT+DEL via Remote Desktop Viewer.

Once rebooted, you should be able to install Windows.

NOTE: You can mount the ISO at boot by adding a parameter, for example:

qemu-system-x86_64 test.img --monitor stdio -vnc 127.0.0.1:1 -k en-gb -m 2048 -cdrom /path/to/ISO

6. Do something!

With Windows booted up and having logged in, I brought up the Windows 'Run' dialog (WIN+R) and typed "notepad" into the dialog - not hitting return just yet.

Then back to my qemu prompt to start recording:

(qemu) begin_record notepad

qemu (well, PANDA) reports taking a snapshot and starting the log file:

writing snapshot:	./notepad-rr-snp
opening nondet log for write :	./notepad-rr-nondet.log

I then went back to my VM, hit enter to launch Notepad, and typed "PANDA!" into Notepad.

Then, back to the qemu prompt, to end the recording:

(qemu) end_record

And qemu (well, PANDA) reports:

Time taken was: 16 seconds.

I now have a PANDA recording of my activity.

To end, from within my VM, I shut it down - in the normal way (Start -> Shutdown). This also terminated qemu.

Run a Plugin: replaymovie

Ok, so I have a replay. I thought it'd be good if I could get PANDA to generate a movie of the activity I recorded.

There's a replaymovie plugin that generates stills, and a script that will sew the stills into a movie.

So off we go:

$ ../qemu/x86_64-softmmu/qemu-system-x86_64 -replay notepad -panda replaymovie -m 2048

Let me explain:

  • ../qemu/x86_64-softmmu/qemu-system-x86_64
    • the qemu program.
  • -replay notepad
    • we're replaying the recording named "notepad".
  • -panda replaymovie
    • invoke the PANDA plugin named "replaymovie".
  • -m 2048
    • qemu needs to know how much memory the original machine had.

I now have 101 PPM files, each being a still from the activity. That's pretty awesome.

Before being able to use the script to sew the stills together, I had to install libav-tools:

$ sudo aptitude install libav-tools

And then, to generate the mp4:

$ ../qemu/panda_plugins/replaymovie/movie.sh
@o0xmuhe
Copy link

o0xmuhe commented Nov 8, 2018

Great! Thank you!

@mdsakibanwar
Copy link

This is very helpful writing. Thank you very much.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment